Address encryption method for flash memories

ABSTRACT

In order to further develop a data processing device, in particular an electronic memory component, comprising a plurality of access-secured sub-areas, in particular a plurality of access-secured memory areas, each having at least one assigned parameter (a n , a n−1 , . . . , a 0 ), in particular address, and a method of encrypting at least one parameter (a n , a n−1 , . . . , a 0  ) in particular the address, of at least one access-secured sub-area, in particular at least one access-secured memory area, of at least one data processing device, in particular at least one electronic memory component, in such a way that on the one hand the security of such devices is increased considerably and on the other hand the associated expense and technical complexity are not too great, it is proposed that the parameter (a n , a n−1 , . . . , a 0 ) of at least one sub-area be capable of encryption only in certain areas, i.e. in dependence on least one further sub-area (a′ n , a′ n−1 , . . . , a′ 1 , a′ 0 ).

The present invention relates to a data processing device, in particularan electronic memory component, comprising a plurality of access-securedsub-areas, in particular a plurality of access-secured memory areas,each having at least one assigned parameter (a_(n), a_(n−1), . . . , a₁,a₀), in particular address.

The present invention further relates to a method of encrypting at leastone parameter (a_(n), a_(n−1), . . . , a₁, a₀), in particular theaddress, of at least one access-secured sub-area, in particular at leastone access-secured memory area, of at least one data processing device,in particular at least one electronic memory component.

In known methods of encrypting confidential data, such as for instancepersonal data, key data or otherwise sensitive data, a non-volatilememory unit can only be encrypted as a compact physical overall memoryin a more or less fixed manner; this means, in other words, that accesscan only conventionally be denied to memories in their entirety.

This method, known from the prior art, of encrypting entire I[ntegrated]C[ircuit] areas is considered disadvantageous in view of the high costassociated therewith together with its technical complexity and lack offlexibility. For this reason, attempts are constantly being made todevelop alternative methods of encrypting access-secured memory areas orother sub-areas.

If, for instance, to control a memory of the size M=2^(i)=2^(n+1)withi=n+1 address buses precisely these address buses are encrypted over theentire address space, modification of one address bus would have thepossible effect of modifying a plurality of address buses, indeed eventhose address buses which ensure that a physically remote memory cell isaddressed.

This is not sensible for a number of a memory types, including inparticular memories which are organized into areas, such as E[rasable]P[rogrammable] R[ead] O[nly]M[emory],E[lectrically]E[rasable]P[rogrammable] R[ead]O[nly]M[emory] or Flashmemory. Separation of the address buses into a number of areas andsubsequent independent encryption of each of the individual areas isinadequate, however, with regard to security.

Taking as basis the above-described disadvantages and shortcomings andacknowledging the outlined prior art, it is an object of the presentinvention so to develop a data processing device, in particular anelectronic memory component, of the above-mentioned type together withan encryption method related thereto, that on the one hand the securityof such devices is increased considerably and on the other hand theexpense associated therewith and the technical complexity are not toogreat.

This object is achieved with a data processing device, in particular anelectronic memory component of non-volatile nature, having the featuresindicated in claim 1 and by an encryption method related thereto havingthe features indicated in claim 6. Advantageous embodiments andexpedient further embodiments of the present invention are identified inthe respective dependent claims.

According to the teaching of the present invention, therefore, acompletely novel approach to area-wise encryption of memory contents isprovided, i.e. a new method is disclosed for encrypting access-securedmemory sectors of non-volatile nature and/or other sub-sectors.

To this end, the present invention allows parts of the (address)parameters of the memory areas to be encrypted in different ways withregard to the object and/or with regard to the customer and/or withregard to the “die”. This means, in other words, that some sub-areas orsectors of the address do not affect all the addresses, unlike in theprior art.

According to the invention, therefore, encryption of one access-securedsub-area, in particular an access-secured memory area, is performedwhile taking account of the other respectively available sub-areas, inparticular memory areas. This makes it possible to encrypt each sub-areawith in each case different parameters.

According to a preferred embodiment of the present invention, anunencrypted address of the form a_(n), a_(n−1), . . . , a₁, a₀ may takethe following appearance, in accordance with the above-describedencryption method: f₁(a_(n)), f₂(f₁(a_(n))+a_(n−1)),f₃(f₂(f₁(a_(n))+a_(n−1))+a_(n−2)), . . . , f_(n+1),(f_(n)(f_(n−1)( . . .))), i.e. an unencrypted address of the form a_(n), a_(n−1), . . . , a₁,a₀ may be mapped onto i=n+1 (scramble) functions f_(i).

In this context, it is obvious that although variation of the parametera_(n), in particular of the address parameter, may influence all theother address buses, variation of the parameter a_(n−1) does not haveany influence on the most significant function f₁(a_(n)).

It is expedient for f_(i)(a) to be any desired one-to-one function, i.e.there are precisely 2^(i) plain/cipher pairs, wherein an unencryptedaddress a_(n), a_(n−1), . . . , a₁, a₀ is always transformed into aunique encrypted address a′_(n), a′_(n−1), . . . , a′₁, a′₀. On theother hand, the function f_(i) itself does not have to be bijective,i.e. it does not have to be reversible.

In an advantageous further embodiment of the present invention, not allstages have to be fully performed, i.e. some functions f_(i) maydirectly reproduce the relevant address bit: a′=a. Alternatively or inaddition thereto, the address buses may also be grouped; this mayappropriately mean, inter alia, that the inputs to the functions f_(i)and the return values from the functions f_(i) may be several bits wide.

In an advantageous embodiment of the present invention,

for EPROM memories or for EEPROM memories division into two sub-areaswith functions f_(i)(a_(n), . . . , a_(x)) and f₂(f₁(a_(x−1), . . . ,a₀)) is useful and

for flash memories division into three sub-areas with functionsf_(i)(a_(n), . . . , a_(x)), f₂(f₁(a_(x−1), . . . , a_(y))) andf₃(f₂(f₁(a_(y−1), . . . , a₀))) is useful.

According to a particularly inventive further embodiment, access-securedmemory areas may be separately secured, i.e. boundary conditions whichrequire a physical memory are fully utilized by the new method (the widevariety of encryptions is here limited only insignificantly).

The present invention further relates to a microcontroller, inparticular a smart card controller, comprising at least one dataprocessing device of the above-described type. Accordingly, theabove-described method may preferably be built into all smart carddesigns, for example.

The present invention finally relates to the use of at least one dataprocessing device, in particular at least one electronic memorycomponent, of the above-described type in at least one chip unit, inparticular in at least one smart card controller, in at least one readerI[ntegrated] C[ircuit] or in at least one crypto chipset, for example inthe field of audio and/or video encryption.

As already discussed above, there are various possible ways ofadvantageously embodying and developing the teaching of the presentinvention. Reference is made, in this regard, to the claims subordinateto claims 1 and 6, and the invention will be further described withreference to examples of embodiments shown in the drawings to which,however, the invention is not restricted. In the Figures:

FIG. 1 is a schematic block diagram of an example of embodiment of theencryption method according to the present invention applied to a dataprocessing device according to the present invention.

The encryption method according to the present invention for applicationin an electronic memory component is based on the idea of encryptingunencrypted addresses an, a_(n−1), . . . , a₁, a₀ of an access-securedmemory area only in certain areas, i.e. in dependence on one or morefurther memory areas, such that encrypted addresses a′_(n), a′_(n−1), .. . , a′₁, a′₀ are formed.

To this end, i=n+1 one-to-one (→2^(i)=2^(n+1) plain/cipher-pairs)scramble functions f₁, f₂, . . . , f_(n), f_(n+1), are provided, suchthat, after mapping, the unencrypted addresses of the form a_(n),a_(n−1), . . . , a₁, a₀ have the following appearance when encrypted bythe functions f_(i) (c.f FIG. 1):f₁(a_(n)), f₂(f₁(a_(n))+a_(n−1)), f₃(f₂(f₁(a_(n))+a_(n−1))+a_(n−2)), . .. , f_(n+1)(f_(n)(f_(n−1)( . . . )))

This makes it possible to encrypt each sub-area with in each casedifferent parameters.

In this context, it is obvious that although variation of the addressesa_(n), a_(n−1), . . . , a₁, a₀ may influence all the other addressbuses, variation of the parameter a_(n−1) does not have any influence onthe most significant function f₁(a_(n)).

As an alternative to that illustrated in FIG. 1, not all i=n+1 stageshave to be fully performed, i.e. some functions f_(i) may also directlyreproduce the relevant address bit: a′=a.

Furthermore, the address buses may also be grouped; this may mean, interalia, that the inputs to the functions f_(i) and the return values fromthe functions f_(i) may be several bits wide.

LIST OF REFERENCE NUMERALS

-   a₀ first unencrypted address-   a₁ second unencrypted address-   a_(n−1) n^(th) unencrypted address-   a_(n) n+1^(th) unencrypted address-   a′₀ first encrypted address-   a′₁ second encrypted address-   a′_(n−1) n^(th) encrypted address-   a′_(n) n+1^(th) encrypted address-   f₁ first function, in particular first scramble function-   f₂ second function, in particular second scramble function-   f_(n) n^(th) function, in particular n^(th) scramble function-   f_(n+1) n+1^(th) function, in particular n+1^(th) scramble function

1. A data processing device, in particular an electronic memorycomponent, comprising a plurality of access-secured sub-areas, inparticular a plurality of access-secured memory areas, each having atleast one assigned parameter in particular address, characterized inthat the parameter of at least one sub-area may be encrypted only incertain areas, i.e. in dependence on at least one further sub-area.
 2. Adata processing device as claimed in claim 1, characterized in that theparameter to be encrypted may be encrypted in dependence, in particularas function, on at least one parameter of the further sub-area.
 3. Adata processing device as claimed in claim 2, characterized in that theinput value to the function and/or the return value from the function ismore than one bit wide.
 4. A data processing device as claimed in claim1, characterized in that the memory component takes the form of anE[rasable]P[rogrammable]R[ead] O[nly]M[emory], anE[lectrically]E[rasable]P[rogrammable]R[ead]O[nly]M[emory] or a Flashmemory.
 5. A microcontroller, in particular a smart card controller,comprising at least one data processing device as claimed in claim
 1. 6.A method of encrypting at least one parameters in particular theaddress, of at least one access-secured sub-area, in particular at leastone access-secured memory area, of at least one data processing device,in particular at least one electronic memory component characterized inthat the parameter to be encrypted of the sub-area is encrypted only incertain areas, i.e. in dependence on at least one further sub-area.
 7. Amethod as claimed in claim 6, characterized in that the parameter to beencrypted of the sub-area is encrypted in dependence, in particular asfunction, on at least one parameter of the further sub-area.
 8. A methodas claimed in claim 7, characterized in that the function f_(i)(a) isone-to-one.
 9. A method as claimed in claim 6, characterized in that theaccess-secured sub-areas, in particular the access-secured memory areas,are secured separately.
 10. Use of at least one data processing device,in particular at least one electronic memory component, as claimed inclaim 1 in at least one chip unit, in particular in at least one smartcard controller, in at least one reader I[ntegrated] C[ircuit] or in atleast one crypto chipset, for example in the field of audio and/or videoencryption.